SELinux and SGID

[Douglas Brown]

On 02/03/2013, at 5:06 PM, Douglas Brown wrote:

> I have a RHEL 6.3 machine enforcing the mls policy. When I try to set the SGID bit on a folder with with `chmod g+s folder_name`, the command's exit code is 0; nothing is logged in /var/log/messages or /var/log/audit/audit.log; but the bit isn't actually set. If I change to permissive mode with `setenforce 0`, it then works.

I'm still not quite sure why chmod wasn't returning a non-zero exit code, but here's the solution:

I thought that the lack of logging must be due to donotallow rules, so I turned them off with:

semodule -DB

Then tried the chmod and got AVCs that when piped to audit2why, indicated that I should check the capabilities allowed by policy. I did this with:

sesearch --allow --source sysadm_t --target user_home_t --class file -p setattr

This showed that there is in fact a rule to allow this. I then suddenly realised that I was still in the secadm_r (and therefore the secadm_t) which does not have the equivalent allow rules permitting the setattr capability on user_home_t.

I changed back to the sysadm_r with the appropriate clearance to make a change to the folder; retried the chmod, and it worked. To the best of my knowledge, the secadm_r should be used *exclusively* for declassifying objects.

I hope this helps someone else. :)

Cheers,
Doug